ECS 2.0 – Configure a namepace for a tenant
Table of Contents
While the configuration operations described in this article use the ECS portal, the concepts described in Understanding tenants and Understanding namespace settings apply whether you are using the portal or the REST API.Back to Top
Namespaces are global resources in ECS and a System Admin or Namespace Admin accessing ECS at any federated VDC can configure the namespace settings. In addition, object users assigned to a namespace are global and can access the object store from any federated VDC.
The key characteristic of a namespace is that users from one namespace cannot access objects belonging to another namespace. In addition, ECS enables an enterprise to configure namespaces and to monitor and meter their usage, and enables management rights to be granted to the tenant so that it can perform configuration and monitoring and metering operations.
It is also possible to use buckets as a means of creating sub-tenants. The bucket owner is the sub-tenant administrator and can assign users to the sub-tenant using access control lists. However, sub-tenants do not provide the same level of segregation as tenants; any user belonging to the tenant could be assigned privileges on a sub-tenant, so care must be taken when assigning users.
- Enterprise single tenant
- All users access buckets and objects in the same namespace. Sub-tenants (buckets) can be created to allow a subset of namespace users to access the same set of objects. A sub-tenant could be a department within the enterprise.
- Enterprise multi tenant
- Different departments within an organization are assigned to different namespaces and department users are assigned to each namespace.
- Cloud Service Provider single tenant
- A single namespace is configured and the Service Provider provides access to the object store for users within the enterprise or outside the enterprise.
The features provided to enable management of tenants are described in Manage a tenant.
Each tenant has access to the replication groups made available by the System Admin. Depending on the access patterns of a tenant, they may require replication groups that include sites in specific geographies. For example, if a client tenant is located in China, they might prefer to access replication groups that include VDCs located in China.Back to Top
Users with the appropriate privileges can create buckets, and can create objects within buckets, in the namespace.
The way in which namespace and bucket names are used when addressing objects in ECS is described in Addressing ECS object storage and using the Base URL.
- Default Replication Group
- The replication group in which a bucket will be created if no replication group is specified in a request. You can find out more information about the configuration of replication groups in Configure storage pools, VDCs, and replication groups
- Namespace Administrators
- Users assigned to the Namespace Admin role for the namespace. The Namespace Admin is an ECS management user and can be a local or domain user.
- User Mappings
- The domains, groups, and attributes that identify the users who can be assigned as object users for a namespace. The way in which users are added to ECS and mapped to a specific namespace is described in Add users and assign roles.
- When enabled, a quota size set against the namespace can cause an event to be logged (a soft quota) or access to be blocked (hard quota) when a specified storage limit is reached.
- Retention Policy
- A namespace can have a number of associated retention polices, where each policy defines a retention period. By applying a retention policy to a number of objects, rather than applying a retention period directly, a change the retention policy will cause the retention period to be changed for the complete set of objects to which the policy has been applied. A request to modify an object that falls before the expiration of the retention period will be disallowed.
The namespace table comprises the following fields:Back to Top
Before you begin
- To perform this operation, you must be assigned to the System Admin role in ECS.
- A replication group must exist. The replication group provides access to storage pools in which object data is stored.
- If you want to allow domain users to access the namespace, an authentication provider must have been added to ECS. In addition, if you intend to configure domain object users, you should plan how you want to map users into the namespace. You can refer to Add users and assign roles for more information on mapping users.
You should ensure you are familiar with the general information about namespaces provided in Understanding namespace settings.
- At the ECSportal, select
- To create a new namespace, select New Namespace. To edit the configuration of an existing namespace, choose the Edit action associated with the existing namespace.
- Specify appropriate value for each of the fields.
Guidance on the settings for each field is provided in the table below.
- Enable and configure a quota.
- Set the Quota control to Enabled if you want to set a quota for the namespace.
- Choose Notification Only or Block Access
If you choose to block access when a specified storage limit is reached, you can also specify a percentage of that limit at which a notification will be sent.
- Add and Configure Retention Policies.
- In the Retention Policies area, select Add to add a new policy.
- Enter a name for the policy.
- Specify the period for the Retention Policy.
This can be a value in minutes or you can select the Infinite checkbox to ensure that buckets to which this retention policy is assigned are never deleted.
- Specify an AD/LDAP domain whose users can log in to ECS and perform administration tasks for the namespace.
Enter the name of the domain and specify groups and attributes to provide finer grained control over the domain users that will be allowed to access ECS in the current namespace.To perform more complex mappings using groups and attributes, you should refer to Add users and assign roles
- Select Save.